Re: jar(1) -- directory traversal

[Moritz Muehlenhoff <jmm () debian org>]

On Fri, Jan 16, 2015 at 06:03:55AM +0300, Alexander Cherepanov wrote:
> Hi!
>
> jar(1) in Debian jessie (openjdk-7-jdk 7u71-2.5.3-2) is susceptible to a
> directory traversal vulnerability via absolute and relative paths. Other
> distros could also be interested in this issue.
>
> Initial report:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774953
>
> Not sure if this is just CVE-2005-1080 not fixed or something else. But
> please note that CVE-2005-1080 talks about .. only.
>
> Debian security team forwarded the report to Oracle Security Team at
> 2015-01-12 11:01 +0100. Thanks!

This appears to have been fixed in the recent Java CPU and was assigned
CVE-2015-0480:
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

Cheers,
        Moritz